I’ve been using OpenVPN for years and enjoy the convenience that OpenVPN only require one TCP or UDP port, which is fairly easy to set up even when one of the site is behind NAT or having dynamic IP. In comparison, setup IPsec is more complicated in this case.
However, EdgeRouter hardware offloading does not support OpenVPN. In this example, we will set up IPsec site-to-site using EdgeRouter, with one site having static IP, another site is using dynamic Internet IP and behind a NAT device (e.g. ISP-provided router). In my case, the ISP-provided router is an Optus/Sagemcom router, and the example config is available in another article. If your environment is not that complicated, refer to Ubiquiti help articles.
Environment
Site “S” with static IP
- WAN (Internet) IP is
1.2.3.4 - EdgeRouter LAN
192.168.11.254/24
Site “D” with dynamic IP
- Internet IP: dynamic, DDNS
site-d-ddns-host-name.kaosy.org - EdgeRouter WAN
192.168.0.2 - EdgeRouter LAN
192.168.12.254/24
[ Site S ] [ Site D ]
==================== ====================================================
LAN ----- EdgeRouter ----- Internet ----- ISP-provided router ----- EdgeRouter ----- LAN
| | | | | |
192.168.11.254/24 | | | 192.168.0.2 192.168.12.254/24
| | |
| | 192.168.0.1
| |
1.2.3.4 site-d-ddns-host-name.kaosy.org
Prerequisites:
- ISP-provided router need to have port forwarding configured, including UDP 500, UDP 4500, ESP and AH.
- DDNS for site D. You can use any implementation, as long as
site-d-ddns-host-name.kaosy.orgis pointed to the right IP address.
IPsec VPN config
Site “S” with static IP
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
pfs dh-group14
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group FOO0 {
key-exchange ikev2
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
site-to-site {
peer site-d-ddns-host-name.kaosy.org {
authentication {
id 1.2.3.4
mode pre-shared-secret
pre-shared-secret ****************
remote-id 192.168.0.2
}
connection-type initiate
description auer
ike-group FOO0
local-address 1.2.3.4
tunnel 1 {
esp-group FOO0
local {
prefix 192.168.11.0/24
}
remote {
prefix 192.168.12.0/24
}
}
}
}
}
}
Site “D” with dynamic IP behind NAT
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
pfs dh-group14
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group FOO0 {
key-exchange ikev2
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
site-to-site {
peer 1.2.3.4 {
authentication {
id 192.168.0.2
mode pre-shared-secret
pre-shared-secret ****************
remote-id 1.2.3.4
}
connection-type initiate
description twer
dhcp-interface eth0
ike-group FOO0
tunnel 1 {
esp-group FOO0
local {
prefix 192.168.12.0/24
}
remote {
prefix 192.168.11.0/24
}
}
}
}
}
}
WAN_LOCAL rules
To allow the EdgeRouter to be reachable (e.g. via HTTPS or SSH for remote management) from another site, consider adding the following WAN_LOCAL rules.
Site “S” with static IP
firewall {
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 99 {
action accept
description "Allow IPsec to EdgeRouter"
destination {
address 192.168.11.254
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 192.168.12.0/24
}
}
}
}
Site “D” with dynamic IP behind NAT
firewall {
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 99 {
action accept
description "Allow IPsec to EdgeRouter"
destination {
address 192.168.12.254
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 192.168.11.0/24
}
}
}
}